JUNIPER NETWORKS SRX SERIES AND J SERIES NAT FOR ScreenOS USERS

Similar documents
Application Note: Junos NAT Configuration Examples

SRX SERIES AND J SERIES NETWORK ADDRESS TRANSLATION

MIGRATING IPS SECURITY POLICY TO JUNIPER NETWORKS SRX SERIES SERVICES GATEWAYS

CONFIGURATION OPTIONS FOR HARDWARE RULE SEARCH (RMS) AND SOFTWARE RULE SEARCH (SWRS)

IF-MAP FEDERATION WITH JUNIPER NETWORKS UNIFIED ACCESS CONTROL

PERFORMANCE VALIDATION OF JUNIPER NETWORKS SRX5800 SERVICES GATEWAY

MONITORING NETWORK TRAFFIC USING sflow TECHNOLOGY ON EX SERIES ETHERNET SWITCHES

WEB FILTERING FOR BRANCH SRX SERIES AND J SERIES

Web Filtering For Branch SRX Series and J Series

Configuring and Deploying the Dynamic VPN Feature Using SRX Series Services Gateways

Monitoring Network Traffic Using sflow Technology on EX Series Ethernet Switches

Configuring and Implementing A10

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Implementation Guide. Juniper Networks SRX Series Services Gateways/ Websense V10000 G2 appliance. v7.6

WAN OPTIMIZATION AND IPSEC FOR THE BRANCH OFFICE

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

VMWARE VIEW WITH JUNIPER NETWORKS SA SERIES SSL VPN APPLIANCES

Introduction...3. Scope...3. Design Considerations...3. Hardware Requirements...3. Software Requirements...3. Description and Deployment Scenario...

Secure, Mobile Access to Corporate , Applications, and Intranet Resources

Identity-Based Traffic Logging and Reporting

Network and Security. Product Description. Product Overview. Architecture and Key Components DATASHEET

Optimizing VoIP Applications with Juniper Networks EX3200 and EX4200 Line of Ethernet Switches

Simplifying the Data Center Network to Reduce Complexity and Improve Performance

Limitation of Riverbed s Quality of Service (QoS)

Juniper Networks WX Series Large. Integration on Cisco

SoLuTIoN guide. CLoud CoMPuTINg ANd ThE CLoud-rEAdy data CENTEr NETWork

WHITE PAPER. Copyright 2011, Juniper Networks, Inc. 1

DEPLOYING IP TELEPHONY WITH EX SERIES ETHERNET SWITCHES

Deploying IP Telephony with EX-Series Switches

BRANCH SRX SERIES SERVICES GATEWAYS GOLDEN CONFIGURATIONS

Voice Modules for the CTP Series

Demonstrating the high performance and feature richness of the compact MX Series

Features and Benefits

Interoperability Test Results for Juniper Networks EX Series Ethernet Switches and NetApp Storage Systems

Implementing Firewalls inside the Core Data Center Network

ENTERPRISE SOLUTION FOR DIGITAL AND ANALOG VOICE TRANSPORT ACROSS IP/MPLS

Concepts & Examples ScreenOS Reference Guide

NETWORK AND SECURITY MANAGER

NETWORK AND SECURITY MANAGER APPLIANCES (NSMXPRESS AND NSM3000)

Implementation Consulting

PRODUCT CATEGORY BROCHURE. Juniper Networks SA Series

Identity-Based Application and Network Profiling

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

SECURE ACCESS TO THE VIRTUAL DATA CENTER

Network Configuration Example

Reasons Enterprises. Prefer Juniper Wireless

Setting up an icap Server for ISG- 1000/2000 AV Support

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

JUNOScope IP Service Manager

Juniper Networks Solution Portfolio for Public Sector Network Security

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

Electronic Fulfillment of Feature, Capacity and Subscription License Activation Keys via the License Management System (LMS)

Network Configuration Example

Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation

Key Strategies for Long-Term Success

APPLICATION NOTE. Copyright 2011, Juniper Networks, Inc. 1

JUNIPER JN0-332 EXAM QUESTIONS & ANSWERS

Meeting PCI Data Security Standards with

PRODUCT CATEGORY BROCHURE

USING MX SERIES AS A SERVER LOAD BALANCER

Juniper Networks SRX 5000 Services Gateways

White Paper. Copyright 2012, Juniper Networks, Inc. 1

Network Configuration Example

Network Configuration Example

Implementing Firewalls inside the Core Data Center Network

JUNOS OS LAN-TO-LAN VPN WITH OVERLAPPING SUBNETS

Protecting Physical and Virtual Workloads

White Paper. Protect Your Virtual. Realizing the Benefits of Virtualization Without Sacrificing Security. Copyright 2012, Juniper Networks, Inc.

Configuring Dynamic VPN v2.1 (last updated 1/2011) Junos 10.4 and above

Network Configuration Example

Product Description. Product Overview

JUNOS Software: The Power

Understanding and Configuring NAT Tech Note PAN-OS 4.1

ANTIVIRUS FOR BRANCH SRX SERIES AND J SERIES

Understanding Fundamental Issues with TRILL

Service Description. Service Overview DATASHEET

JUNIPER CARE PLUS ADVANCED SERVICES CREDITS

Using Multicast Call Admission Control for IPTV Bandwidth Management

JUNIPER NETWORKS WIRELESS LAN SOLUTION

New Data Centers Require a New Network

Junos Pulse Access Control Service 4.4R4-MDM Supported Platforms Document

PRODUCT CATEGORY BROCHURE. Juniper Networks Integrated

How To Protect Your Network From Attack From A Malicious Computer (For A Network) With Juniper Networks)

PRODUCT CATEGORY BROCHURE INTEGRATED FIREWALL/ VPN PLATFORMS

TECHNICAL NOTE INSTALLING AND CONFIGURING ALE USING A CLI. Installing the Adaptive Log Exporter

White Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc.

Juniper Networks QFX3500

Security Portfolio. Juniper Networks Integrated Firewall/VPN Platforms. Product Brochure. Internet SRX Fixed Telecommuter or Small Medium Office

POWERING UNIFIED COMMUNICATIONS WITH BRANCH SRX SERIES SERVICES GATEWAYS

Analysis of the Optimal Branch Network Architecture for Successful Unified Communications in the Enterprise

Network Configuration Example

Transcription:

APPLICATION NOTE JUNIPER NETWORKS SRX SERIES AND J SERIES NAT FOR ScreenOS USERS Understanding ScreenOS and Junos OS CLI Differences Copyright 2010, Juniper Networks, Inc.

Table of Contents Introduction......................................................................................... 1 Scope.............................................................................................. 1 Design Considerations................................................................................ 1 Hardware Requirements......................................................................... 1 Software Requirements.......................................................................... 1 Description and Deployment Scenario................................................................... 1 Source NAT.................................................................................... 1 Interface-Based Source NAT...................................................................... 1...................................................................... 1...................................................................... 2 Source NAT with IP Pool (Dynamic Internet Protocol Pool with and without Port Translation)................ 2 (with Port Translation).................................................. 2 (with Port Translation)................................................... 2 (without Port Translation)............................................... 2 (without Port Translation)................................................ 2 Source NAT with IP Address Shifting............................................................... 3...................................................................... 3...................................................................... 3 Source NAT with Loopback Group and Dynamic Internet Protocol (DIP).................................. 3...................................................................... 3...................................................................... 4 Static NAT........................................................................................... 4 Static NAT to a Single Host........................................................................ 4...................................................................... 4...................................................................... 4 Static NAT to a Subnet........................................................................... 4...................................................................... 5...................................................................... 5 Virtual IP........................................................................................... 5...................................................................... 5...................................................................... 5 Destination NAT...................................................................................... 6 Destination Address Translation to a Single Host..................................................... 6...................................................................... 6 Commands............................................................ 6 Destination Address and Port Translation to a Single Host............................................. 6...................................................................... 7...................................................................... 7 ii Copyright 2010, Juniper Networks, Inc.

Table of Figures Destination Address Translation to a Single Host..................................................... 7...................................................................... 7...................................................................... 7 Summary........................................................................................... 8 About Juniper Networks.............................................................................. 8 Figure 1: Source NAT................................................................................. 1 Figure 2: Source NAT with loopback group and DIP....................................................... 3 Figure 3: Static NAT.................................................................................. 4 Figure 4: Virtual IP (VIP).............................................................................. 5 Figure 5: Destination NAT............................................................................. 6 Copyright 2010, Juniper Networks, Inc. iii

Introduction Juniper Networks SRX Series Services Gateways and J Series Services Routers use the Juniper Networks Junos operating system command-line interface (CLI), which is unfamiliar to many current ScreenOS users. Because of the extensive Junos OS feature set, the command sequence required to configure NAT is often slightly longer than the ScreenOS equivalent. The following CLI examples provide a starting point for ScreenOS users planning to migrate to Junos OS. Scope The purpose of this application note is to compare several common ScreenOS Network Address Translation (NAT) CLI command sequences with the Junos OS equivalents. This paper does not provide an overview of Junos OS nextgeneration NAT architecture. For more information on Junos OS NAT for Juniper Networks SRX Series Services Gateways and J Series Services Routers, please refer to the SRX Series and J Series Network Address Translation application note. This paper assumes the reader is familiar with NAT, ScreenOS, and the various NAT options available in ScreenOS. Design Considerations Hardware Requirements Juniper Networks J2320, J2350, J4350, and J6350 Services Routers Juniper Networks SRX Series Services Gateways Software Requirements Junos OS release 9.2 or later for all SRX Series Services Gateways (A more recent release will be required for all SRX Series Services Gateways released after 9.2) Junos OS release 9.5 or later for all Juniper Networks J Series Services Routers Description and Deployment Scenario By allowing a private network to connect to the Internet, configuring NAT is often the first step required to deploy an SRX Services Gateway or J Series Services Router. After reviewing the following command sequences, readers should be able to configure several common NAT variations. The commands sequences provided can be copied exactly, but the IP addresses used are examples only and will need to be changed as appropriate to meet deployment specific addressing requirements. Source NAT INTERNET 1.1.1.1/24 SRX210 10.1.1.0/24 Figure 1: Source NAT Interface-Based Source NAT INTERFACE ZONE IP ADDRESS Ethernet 0/0 untrust 1.1.1.1/24 Ethernet 0/1 trust 10.1.1.1/24 set policy id 1 from trust to untrust any any any nat src permit Copyright 2010, Juniper Networks, Inc. 1

set security nat source rule-set interface-nat from zone trust set security nat source rule-set interface-nat to zone untrust set security nat source rule-set interface-nat rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0 set security nat source rule-set interface-nat rule rule1 then source-nat interface set security policies from-zone trust to-zone untrust policy permit-all match source-address any destination-address any application any set security policies from-zone trust to-zone untrust policy permit-all then permit Source NAT with IP Pool (Dynamic Internet Protocol Pool with and without Port Translation) INTERFACE ZONE IP ADDRESS Ethernet 0/0 untrust 1.1.1.1/24 Ethernet 0/1 trust 10.1.1.1/24 (with Port Translation) set int e0/0 dip 4 1.1.1.10 1.1.1.15 set policy id 1 from trust to untrust any any any nat src dip-id 4 permit (with Port Translation) set security nat source pool pool-1 address 1.1.1.10 to 1.1.1.15 set security nat source rule-set pool-nat from zone trust set security nat source rule-set pool-nat to zone untrust set security nat source rule-set pool-nat rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0 set security nat source rule-set pool-nat rule rule1 then source-nat pool pool-1 set security nat proxy-arp interface ge-0/0/0 address 1.1.1.10 to 1.1.1.15 set security policies from-zone trust to-zone untrust policy permit-all match source-address any destination-address any application any set security policies from-zone trust to-zone untrust policy permit-all then permit Note: The above command sequence can be changed to create a source pool without port translation. (without Port Translation) set int e0/0 dip 4 1.1.1.10 1.1.1.15 fix-port (without Port Translation) set security nat source pool pool-1 address 1.1.1.10 to 1.1.1.15 set security nat source pool pool-1 port no-translation set security nat source rule-set pool-nat from zone trust set security nat source rule-set pool-nat to zone untrust set security nat source rule-set pool-nat rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0 set security nat source rule-set pool-nat rule rule1 then source-nat pool pool-1 set security policies from-zone trust to-zone untrust policy permit-all match source-address set security nat proxy-arp interface ge-0/0/0 address 1.1.1.10 to 1.1.1.15 any destination-address any application any set security policies from-zone trust to-zone untrust policy permit-all then permit 2 Copyright 2010, Juniper Networks, Inc.

Source NAT with IP Address Shifting INTERFACE ZONE IP ADDRESS Ethernet 0/0 untrust 1.1.1.1/24 Ethernet 0/1 trust 10.1.1.1/24 set int e0/0 dip 4 shift-from 10.1.1.100 to 1.1.1.100 1.1.1.109 set security nat source pool pool-1 address 1.1.1.100 to 1.1.1.109 set security nat source pool pool-1 host-address-base 10.1.1.100 set security nat source rule-set pool-nat from zone trust set security nat source rule-set pool-nat to zone untrust set security nat source rule-set pool-nat rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0 set security nat source rule-set pool-nat rule rule1 then source-nat pool pool-1 set security policies from-zone trust to-zone untrust policy permit-all match source-address set security nat proxy-arp interface ge-0/0/0 address 1.1.1.100 to 1.1.1.109 any destination-address any application any set security policies from-zone trust to-zone untrust policy permit-all then permit Source NAT with Loopback Group and Dynamic Internet Protocol (DIP) INTERFACE ZONE IP ADDRESS Ethernet 0/0 untrust Ethernet 0/1 trust Loopback.1 untrust 1.1.1.1/24 Ethernet 0/1 trust 10.1.1.1/24 INTERNET SRX210 10.1.1.0/24 Figure 2: Source NAT with loopback group and DIP set int e0/0 loopback-group lo.1 set int e0/2 loopback-group lo.1 set int loopback.1 dip 4 1.1.1.10 1.1.1.15 set policy id 1 from trust to untrust any any any nat src dip-id 4 permit Copyright 2010, Juniper Networks, Inc. 3

set security nat source pool pool-1 address 1.1.1.10 to 1.1.1.15 set security nat source rule-set pool-nat from zone trust set security nat source rule-set pool-nat to interface ge-0/0/0 interface ge-0/0/2 set security nat source rule-set pool-nat rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0 set security nat source rule-set pool-nat rule rule1 then source-nat pool pool-1 set security policies from-zone trust to-zone untrust policy permit-all match source-address set security nat proxy-arp interface ge-0/0/0 address 1.1.1.10 to 1.1.1.15 set security nat proxy-arp interface ge-0/0/2 address 1.1.1.10 to 1.1.1.15 any destination-address any application any set security policies from-zone trust to-zone untrust policy permit-all then permit Static NAT INTERNET 1.1.1.1/24 SRX210 10.1.1.0/24 Figure 3: Static NAT In ScreenOS, the interface IP address can be used for static NAT (mobile IP). This option is not currently available in Junos OS. Static NAT to a Single Host MAPPED IP 1.1.1.100 10.1.1.100 HOST IP ADDRESS set int e0/0 mip 1.1.1.100 host 10.1.1.100 set pol from untrust to trust any mip(1.1.1.100) http permit set security nat proxy-arp interface ge-0/0/0 address 1.1.1.100/32 set security nat static rule-set static-nat from zone untrust set security nat static rule-set static-nat rule rule1 match destination-address 1.1.1.100 set security nat static rule-set static-nat rule rule1 then static-nat prefix 10.1.1.100 set security zones security-zone trust address-book address webserver 10.1.1.100 set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address webserver application junos-http set security policies from-zone untrust to-zone trust policy static-nat then permit Static NAT to a Subnet MAPPED IP HOST IP ADDRESS 1.1.1.0/28 10.1.1.0/28 4 Copyright 2010, Juniper Networks, Inc.

set int e0/0 mip 1.1.1.0 host 10.1.1.0 netmask 255.255.255.240 set policy from untrust to trust any mip(1.1.1.0/28) http permit set security zones security-zone trust address-book address webserver-group 10.1.1.0/28 set security nat proxy-arp interface ge-0/0/0 address 1.1.1.0/28 set security nat static rule-set static-nat from zone untrust set security nat static rule-set static-set rule rule1 match destination-address 1.1.1.0/28 set security nat static rule-set static-set rule rule1 then static-nat prefix 10.1.1.0/28 set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address webserver-group application junos-http set security policies from-zone untrust to-zone trust policy static-nat then permit Virtual IP VIRTUAL IP/PORT SERVICE HOST IP ADDRESS 1.1.1.100/80 HTTP 10.1.1.100 1.1.1.100/110 POP3 10.1.1.200 INTERNET 1.1.1.1/24 SRX210 10.1.1.0/24 Figure 4: Virtual IP (VIP) set int e0/0 vip 1.1.1.100 80 http 10.1.1.100 set int e0/0 vip 1.1.1.100 110 pop3 10.1.1.200 set policy from untrust to trust any vip(1.1.1.100) http permit set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.100 set security nat destination pool dnat-pool-1 address 10.1.1.100/32 set security nat destination pool dnat-pool-2 address 10.1.1.200/32 set security nat destination rule-set dst-nat from zone untrust set security nat destination rule-set dst-nat rule rule1 match destination-address 1.1.1.100/32 set security nat destination rule-set dst-nat rule rule1 match destination-port 80 set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-pool-1 set security nat destination rule-set dst-nat rule rule2 match destination-address 1.1.1.100/32 set security nat destination rule-set dst-nat rule rule2 match destination-port 110 set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-pool-2 set security zones security-zone trust address-book address webserver 10.1.1.100 set security zones security-zone trust address-book address mailserver 10.1.1.200 Copyright 2010, Juniper Networks, Inc. 5

set security zones security-zone trust address-book address-set servergroup address webserver set security zones security-zone trust address-book address-set servergroup address mailserver set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application junos-http set security policies from-zone untrust to-zone trust policy static-nat match application junos-pop3 set security policies from-zone untrust to-zone trust policy static-nat then permit Destination NAT INTERNET 1.1.1.1/24 SRX210 10.1.1.0/24 Figure 5: Destination NAT Destination Address Translation to a Single Host In this example, the destination IP and the interface IP are on different subnets. DESTINATION IP REAL DESTINATION IP 2.1.1.100 10.1.1.100 set route 2.1.1.100/32 int e0/1 set address trust webserver 2.1.1.100/32 set pol from untrust to trust any webserver http nat dst ip 10.1.1.100 permit Commands set security nat proxy-arp interface ge-0/0/0.0 address 2.1.1.100 set security nat destination pool dnat-pool-1 address 10.1.1.100 set security nat destination rule-set dst-nat from zone untrust set security nat destination rule-set dst-nat rule r1 match destination-address 2.1.1.100 set security nat destination rule-set dst-nat rule r1 then destination-nat pool dnat-pool-1 set security zones security-zone trust address-book address webserver 10.1.1.100 set security policies from-zone untrust to-zone trust policy dst-nat match source-address any destination-address webserver application junos-http set security policies from-zone untrust to-zone trust policy dst-nat then permit Destination Address and Port Translation to a Single Host DESTINATION IP/PORT REAL DESTINATION IP/PORT 2.1.1.100/80 10.1.1.100/8000 6 Copyright 2010, Juniper Networks, Inc.

set route 2.1.1.100/32 int e0/1 set address trust webserver 2.1.1.100/32 set policy from untrust to trust any webserver http nat dst ip 10.1.1.100 port 8000 permit set security nat proxy-arp interface ge-0/0/0.0 address 2.1.1.100 set security nat destination pool dnat-pool-1 address 10.1.1.100 port 8000 set security nat destination rule-set dst-nat from zone untrust set security nat destination rule-set dst-nat rule r1 match destination-address 2.1.1.100 set security nat destination rule-set dst-nat rule r1 then destination-nat pool dnat-pool-1 set security zones security-zone trust address-book address webserver 10.1.1.100 set applications application http-8000 protocol tcp destination-port 8000 set security policies from-zone untrust to-zone trust policy dst-nat match source-address any destination-address webserver application http-8000 set security policies from-zone untrust to-zone trust policy dst-nat then permit Destination Address Translation to a Single Host In this example, the destination IP and the interface IP are on the same subnet. DESTINATION IP REAL DESTINATION IP 1.1.1.100 10.1.1.100 set arp nat set address trust webserver 1.1.1.100/32 set pol from untrust to trust any webserver http nat dst ip 10.1.1.100 permit set security nat destination pool dnat-pool-1 address 10.1.1.100/32 set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.100 set security nat destination rule-set dst-nat from zone untrust set security nat destination rule-set dst-nat rule r1 match destination-address 1.1.1.100 set security nat destination rule-set dst-nat rule r1 then destination-nat pool dnat-pool-1 set security policies from-zone untrust to-zone trust policy dst-nat match source-address any destination-address any application junos-http set security policies from-zone untrust to-zone trust policy dst-nat then permit Copyright 2010, Juniper Networks, Inc. 7

Summary Juniper Networks SRX Series Services Gateways and J Series Services Routers use the Junos OS command-line interface, which may seem somewhat foreign to current ScreenOS users. The preceding CLI comparisons can be used by ScreenOS users to better under understand the Junos OS equivalents. After working through all the examples, the reader should be able to easily configure NAT for several common deployment scenarios. About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at www.juniper.net. Corporate and Sales Headquarters Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100 www.juniper.net APAC Headquarters Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King s Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803 EMEA Headquarters Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: 35.31.8903.600 EMEA Sales: 00800.4586.4737 Fax: 35.31.8903.601 To purchase Juniper Networks solutions, please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller. Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 3500152-003-EN May 2010 8 Printed on recycled paper

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information